GAO: National strategy needed to counter increasing cyber threats
Facing growing cyber threats to the nation's computer systems and critical infrastructure, federal agencies need a comprehensive national strategy that better defines roles, responsibilities and can be more effectively implemented, says a Feb. 14 Government Accountability Office report (.pdf).
The GAO report acknowledges that the federal government has issued a variety of strategy-related documents over the last decade, addressing priorities for enhancing the agencies' cybersecurity as well as for encouraging improvements in the cybersecurity of critical infrastructure within the private sector. However, auditors charge that "no overarching cybersecurity strategy has been developed that articulates priority actions, assigns responsibilities for performing them, and sets timeframes for their completion."
The government's existing cybersecurity strategy documents, the GAO says, are missing key elements including: milestones and performance measures, cost and resources, roles and responsibilities, and linkage with other strategy documents.
According to the report, the government's strategy documents include few milestones or performance measures, "making it difficult to track progress in accomplishing stated goals and objectives." In addition, while past strategy documents linked certain activities to budget submissions, the GAO asserts that none have fully addressed cost and resources, including justifying the required investment, which is critical to gaining support for implementation. Moreover, none of the documents provided full assessments of anticipated costs and how resources might be allocated to address them.
These same cybersecurity strategy documents have assigned high-level roles and responsibilities but have "left important details unclear," finds the report. For instance, the GAO says it is unclear how the Office of Management and Budget and the Homeland Security Department are to share oversight of individual departments and agencies. While the law gives OMB responsibility for oversight of federal government information security, OMB transferred several of its oversight responsibilities to DHS.
Making matters worse, argues the report, existing cybersecurity strategy documents vary in terms of priorities and structure, and do not specify how they link to or supersede other documents, nor do they describe how they fit into an overarching national cybersecurity strategy.
"Further, until an overarching national cybersecurity strategy is developed that addresses all key elements of desirable characteristics, overall progress in achieving the government's objectives is likely to remain limited," the report says.
In its response to the GAO report, the Executive Office of the President agreed that more needs to be done to develop a coherent and comprehensive strategy on cybersecurity but did not believe producing another strategy document would be beneficial. However, auditors insist that an overarching strategy document that includes milestones and performance measures, cost and resources, roles and responsibilities, and linkage with other key strategy documents would provide a more effective framework for implementing cybersecurity activities.
-download the GAO report (.pdf)
Obama signs cybersecurity executive order - UPDATED
Cybersecurity executive order should clearly exclude some sectors, says Lofgren
Senate Democrats propose tentative cybersecurity bill